Information Security. Lecture course

Lecture number 1

Information security - the ability of the processing system to provide a specified period of time for the fulfillment of certain processing requirements in terms of the likelihood of occurrence of events, expressed in the leakage of lost or illegal modification of data that is of some value to their owners. At the same time, it is believed that the source of these actions can be both accidental influences and the impact of a person of the destroyer.

Automated information processing system (AS) - organizational and technical system, which is a set of interrelated components:

1. 
   Computer facilities and communications.
2. 
   Data processing methods and algorithms (software).
3. 
   Arrays and databases presented on any media.
4. 
   Computer personnel and users.

1. 
   Subjects of information relations:
2. 
   State and government bodies.
3. 
   State commercial organizations (legal entities).
4. 
   Citizens (individuals).

1. 
   Sources of information.
2. 
   Users (consumers) of information.
3. 
   Owners (owners) of information.
4. 
   Individuals or legal entities from whom information is collected.
5. 
   AU owners and participants in the information processing process.

1. 
   Confidentiality. A property indicating that only authorized users and those provided by the information processing system can have access to information.
2. 
   Integrity. The property of information, which is, firstly, that information can be changed only by users who have the right to do so, and secondly, that the information is not contradictory and reflects the real state of affairs.
3. 
   Availability. The property of a system in which information circulates, characterized by the ability to provide timely, unimpeded access to information for users who have the appropriate authority to access it.

Access to the information:

1. 
   Familiarization with information, including copying.
2. 
   Modification of information.
3. 
   Destruction of information.

System subject - an active component of the system (user or process), whose actions in relation to objects are regulated by the rules of access control.

System object - a passive component of the system (device, disk, directory, file), access to which is regulated by access control rules.

Unauthorized access (unauthorized access) - the subject's access to the object bypassing the access control rules set in the system.

Intruder - a subject who made or tried to make an attempt to unauthorized access to system objects by mistake, ignorance or with malicious intent.

Authentication - verification of the identity of the subject or object.

Identification - assignment of a name to the subject or object of the system.

Verification - checking the integrity of some information.

Strength of protection - the probability of an intruder not overcoming the protection within a certain period of time.

Lecture number 2

Basic methods of information security

In the "network security service" is a mechanism for protecting information processed in distributed computing systems and networks.

"Engineering and technical" methods aim to ensure the protection of information through technical channels, for example, protection from the interception of electromagnetic radiation or speech information.

"Legal" and "organizational" methods of information protection create a regulatory framework for organizing various activities related to information security.

"Theoretical methods" of information security provide 2 tasks:

1. 
   Formalization of various kinds of processes related to information security, for example, a formal model of access control in an AS, allows one to describe all flows of information passing from subjects to objects and vice versa, and thereby effectively protect this information.
2. 
   Rigorous substantiation of the correctness and adequacy of information security systems. Such a task arises, for example, when certifying a system in terms of information security.

Under threat it is customary to understand potential events or actions that may harm any interests.

Information security threat - Potentially possible actions that can violate the confidentiality, integrity or availability of information, as well as the possibility of affecting the components of the AU, leading to their breakdown, loss or failure of functions.

The classification of IS threats can be made according to the following criteria:

1. 
   By the degree of premeditation :
   1. 
      Random. Negligence of staff or accidental actions.
   2. 
      Intentional. Attacker actions.
2. 
   Depending on the source of the threat:
   1. 
      Threats to the natural environment.
   2. 
      Threats from a person.
   3. 
      Threats from authorized software or hardware. Incorrect handling.
   4. 
      Threats from unauthorized software or hardware. Viruses, eavesdropping devices, hidden cameras, etc.
3. 
   By the position of the source of the threat :
   1. 
      Threats originating outside the controlled area. Remote audio or video filming.
   2. 
      Threats originating from within a controlled area.
4. 
   By the degree of impact on the AU :
   1. 
      Passive.
   2. 
      Active.

1. 
   Violation of the three basic properties of protected information :
   1. 
      Confidentiality.
   2. 
      Integrity.
   3. 
      Availability.

Protection system model:

1. 
   Organizational and physical security measures.
2. 
   .
3. 
   Access control.
4. 
   4.1. Cryptographic methods.
   1. 
      Perimeter protection methods.
   2. 
      Logging and auditing.

In general, these methods used in the enterprise include the following:

1. 
   Deployment of the control system and delineation of physical access to the NPP elements.
2. 
   Creation of a security and physical security service.
3. 
   Creation of mechanisms to control the movement of employees and visitors, for example, using video surveillance or an access card.
4. 
   Development and implementation of regulations, job descriptions and other regulatory documents.
5. 
   Regulation of work with media containing confidential information.

Authentication Methods Classification:

1. 
   Methods based on the knowledge of the subject of some secret information. A classic example: Password Authentication... These methods are the most common.
2. 
   Methods based on the subject's possession of some unique object. For example: electronic key, access card, etc.
3. 
   Methods based on scanning a person's biometric characteristics. For example: fingerprint scan, iris scan, human face, simple and keyboard handwriting.

Password Authentication

General scheme of password authentication:

1. 
   User ID input.
2. 
   Checking if such an identifier exists in the system.
   1. 
      If it exists, then the authentication procedure is performed.
   2. 
      If the procedure is completed successfully, then authorization occurs.
   3. 
      In case of failure of the authentication procedure, several attempts are given to re-enter.

Advantages and disadvantages of the password system

1. 
   Relative ease of implementation. As a rule, password systems do not require additional hardware.
2. 
   Tradition. Password protection mechanisms are familiar to most users.
3. 
   Passwords that are strong against cracking, as a rule, turn out to be of little use.

There are 3 types of threats:

Recommendations for the practical implementation of password systems

1. 
   Setting the minimum password length. This recommendation makes it difficult to brute force a password.
2. 
   Increase the power of the password alphabet. This recommendation complicates the exhaustive search.
3. 
   Checking and filtering passwords for various conditions. This recommendation makes it difficult to find a password using a dictionary.
4. 
   Setting the maximum password validity period (for example, change the password every 2 weeks). Password expiration limits the amount of time an attacker can spend guessing the password.
5. 
   Sifting through the password history log. This mechanism prevents the reuse of passwords, possibly previously compromised.
6. 
   Limiting the number of password attempts. This recommendation makes it difficult to guess the password interactively.
7. 
   Timeout when entering an invalid password. This mechanism also makes interactive matching difficult.
8. 
   Prohibition of user selection of a password and automatic password generation. This recommendation guarantees the strength of the generated passwords, but users may have problems remembering them.

Evaluating the strength of password systems

A is the cardinality of the alphabet of parameters. The number of letters that can be used to compose a password.

L is the length of the password.

S = A ^ L - the number of passwords of length L that can be formed from the alphabet A.

V - average speed of password guessing.

T is the maximum password age.

P is the probability of guessing the password for a certain period of time.

P = (V * T) / S = (V * T) / (A ^ L)

Usually, the average speed of guessing a password V and its validity time in the system T are considered to be known values. In this case, by setting the maximum probability of guessing V during its validity, we can calculate the required cardinality of the password space.

S = A ^ L = (V * T) / P

Reducing the speed of guessing passwords V reduces the likelihood of a password guessing. From this, in particular, it follows that if the password selection is carried out by calculating the hash functions, then the use of the slow function for calculating the hash function will provide greater security of the password system.

Methods for storing and transmitting passwords

1. 
   In open form. Not recommended type of storage and transfer, even taking into account the presence of other protection mechanisms.
2. 
   As the corresponding hash values. This mechanism is convenient for checking passwords, since hash values ​​are almost unambiguously associated with a password, but it is of little interest to an attacker.
3. 
   Encrypted. Passwords can be encrypted using some cryptographic algorithm, while the encryption key can be stored both on one of the permanent elements of the system, and on a removable medium.

1. 
   When registering a new user in the system or changing the password for an existing user, the value of the one-way HASH function is calculated from this password, which is then entered into the base (H = h (M) -> into the base).
2. 
   When a user tries to enter the system, the hash value is calculated from the password that he entered (H ’= h (M’)), then the resulting value is compared with the one in the database. If these two values ​​are equal, then the password is entered correctly and the user is authorized in the system (H = H '- the password is correct).

Under the differentiation of access, it is customary to understand the establishment of the powers of the subjects for the subsequent control of the authorized use of resources (objects) available in the system. There are two main types of access control:

1. 
   Discretionary... D - access control between named objects and named subjects in the system. In practice, this distinction is most often implemented using a matrix of access rights.
2. 
   Mandate... M - usually implemented as a differentiation of access by levels of secrecy. The authority of each user is set in accordance with the maximum level of secrecy to which he is admitted, while all the resources of the AU must be classified in accordance with the same levels of secrecy.

1. 
   Simple Security. A subject with a security level X (s) can read information from an object with a security level X (0) only if X (0) does not exceed X (s). It's called: No Read Up.
2. 
   Additional property (* - property). A subject with a security level X (s) can write data to an object with a security level X (0) only if X (s) does not exceed X (0). It is called: No Write Down.

If, in the case of discretionary differentiation of access, the rights to access a resource for users are determined by the owner of this resource, then in the case of mandatory differentiation, the secrecy level is set from outside the system. Mandatory delimitation is understood as compulsory, it is more stringent.

Lecture number 4

Cryptographic transformation of information

Basic definitions:

Cryptology- a science that studies mathematical methods of protecting information by transforming it. Cryptology is divided into 2 areas:

1. 
   Cryptography... Examines methods of transforming information, ensuring its confidentiality and authenticity. Authenticity information consists in the authenticity of its authorship and integrity.
2. 
   Cryptanalysis... Combines mathematical methods of violating confidentiality and authenticity without knowing the secret keys.

1. 
   Transfer of confidential information through non-secure communication channels.
2. 
   Authentication of transmitted messages.
3. 
   Storage of information on media in encrypted form.

Alphabet- a finite set of symbols used to encode information.

Text- an ordered set of characters from the alphabet set.

Cryptographic system (cipher) is a family T reversible conversions of plaintext to encrypted. An element of this family can be one-to-one correspondence with some number k called the encryption key. Transformations Tk is completely determined by the corresponding algorithm ( T) and the key k.

Key- some specific secret state of the parameters of the cryptographic data transformation algorithm, which ensures the selection of one option from the set of possible states for this algorithm. The secrecy of the key must ensure the impossibility of converting the ciphertext into open text, while the algorithm itself can be published and widely known.

Key spaceK- a set of possible key values ​​(K = A ^ L).

Key and password- some classified information, the difference lies in the use of these terms. The password is used for authentication, and the key is used to encrypt information.

Difference of concepts coding and encryption:

Term coding more generally, it involves converting information from one form to another, such as analog to digital. Encryption- a special case of coding, used primarily to ensure the confidentiality of information.

Data encryption is the process of converting open data into closed (encrypted) data, and decryption- reverse process.

Decryption- transformation of private data into open data without knowing the secret key.

Crypto resistance- characteristic of the cipher, which determines its resistance to decryption. Usually, this characteristic is determined by the period of time required for encryption.

The process of cryptographic data closure can be carried out both in hardware and software. The hardware implementation has a higher computation speed, but, as a rule, more cost. The advantages of software implementation are in the flexibility of algorithm settings. Regardless of the implementation method, for modern cryptographic information security systems, there are the following requirements:

Lecture number 6

Three critical properties of the Vernam cipher (notepad cipher):

1. 
   The key must be truly random.
2. 
   Match the size of the specified plain text.
3. 
   Apply only 1 time, and destroy after use.

In practice, you can physically transfer a storage medium 1 time with a long truly random key, and then send messages as necessary, this is the idea behind the cipher of notebooks. At a personal meeting, the encryptor is supplied with a notepad, each page of which contains a key; the receiving party also has the same notepad. Used pages are destroyed if there are two independent channels in which the probability of intercepting information is low, but different from zero, such a cipher is also useful. An encrypted sentence can be transmitted over one channel, and in another way, the key, in order to decrypt the message, must be listened to on both channels at the same time.

The Vernam cipher is the most secure cryptosystem possible, and the constraints that the key must satisfy are so strong that the practical use of this cipher becomes difficult to implement, so it is used only for the transmission of messages of the highest secrecy.

DES ( Data Encryption Standard )

In 1972, the US National Bureau of Standards pioneered a communications and computer data protection program. One of the goals of the program was to develop a unified cryptographic standard. In 1973, the Bureau published the requirements for a cryptographic algorithm:

1. 
   The algorithm must provide a high level of security.
2. 
   The algorithm must be fully defined and easily understood.
3. 
   The security of the algorithm should be based only on the secrecy of the key and should not depend on the secrecy of the details of the algorithm itself.
4. 
   The algorithm should be available to all users.
5. 
   The algorithm should allow adaptation to different applications.
6. 
   The algorithm should allow economical implementation in the form of electronic devices.
7. 
   The algorithm should provide a verification capability.
8. 
   The algorithm must be enabled for export.

DES is a combined block cipher and encrypts data in 64 bit blocks (8 bytes each). On the one side of the algorithm 64 bits of plaintext are entered, on the other side 64 bits of ciphertext come out, DES is a symmetric algorithm. The key length is 56 bits. At its simplest level, the algorithm is just a combination of 2 main encryption methods:

1. 
   Permutations.
2. 
   Substitutions.

Multiple application of one stage is conditioned by the achievement of a certain level of avalanche effect (approximately 50%).

Examples: Triple DES, DES with independent keys, DES X, GDES (Generic DES).

Lecture number 7

Public Key Algorithms

The concept of public-key cryptography was pioneered by Diffe and Halman and independently by Merkle in 1976. Their contribution to cryptography was the belief that keys can be used in pairs (encryption key and decryption key), and that it may not be possible to derive one key from another.

Since 1976, many public key crypto algorithms have been proposed, many of them are not secure and many are not suitable for practical implementation, either they use a too long key, or the length of the ciphertext is much longer than the length of the plaintext.

An introductory lecture, which describes the basic concepts from the field of information security, the tasks solved there, and also provides an answer to a very important question: Why is it worth doing information security at all? What a real practical use with real examples from our lives.

In addition, the lecture describes the basic properties of information security systems, the life cycle of information security (IS) processes, as well as ways to study the business structure of the protected object. You will learn what accessibility, integrity, confidentiality, authenticity and many other concepts are. Understand the types and sources of threats.

Suggest in the comments your ideas / thoughts for improving the course, rate (to download the lecture and / or write a comment, click on the title of the lecture material or on the link "More"). I will be glad.

Building a threat model and an intruder model (lecture 5)

This lecture is designed to systematize the understanding of the process of building an information security system at an enterprise and describes in detail the process of building a threat model for commercial and state enterprises, as well as building a model of an intruder. These models have a direct impact on the choice of protective measures and the real effectiveness of your information security system.

Information protection should be based on a systematic approach. The systematic approach is that all means used to ensure information security should be considered as a single set of interrelated measures. One of the principles of information protection is the principle of "reasonable sufficiency", which is as follows: one hundred percent protection does not exist under any circumstances, therefore, it is worth striving not to the theoretically maximum achievable level of information protection, but to the minimum necessary in these specific conditions and at a given level possible threat.

Information protection can be conditionally divided into protection:

from loss and destruction;

from unauthorized access.

2. Protection of information from loss and destruction

Loss of information can occur for the following reasons:

computer malfunction;

power outages or interruptions;

damage to storage media;

erroneous actions of users;

the action of computer viruses;

unauthorized intentional actions of others.

You can prevent these reasons data backup, i.e. creating their backups. Reservation means include:

backup software included with most operating systems. For example, MS Backup, Norton Backup;

creation of archives on external storage media.

In case of loss, information can be restored. But this is only possible if:

after deleting the file, new information was not written to the vacant space;

if the file was not fragmented, i.e. (Therefore, you should regularly perform the defragmentation operation using, for example, the "Disk Defragmenter" utility included with the Windows operating system).

Recovery produced by the following software tools:

Undelete from the DOS Utility Package;

Unerase from the Norton Utilites.

If the data is of particular value to the user, then you can apply protection against destruction:

set the files to the Read Only property;

use special software tools to save files after deletion, simulating deletion. For example, Norton Protected Recycle Bin. ...

A major threat to the safety of data is posed by violations in power supply system- power outages, voltage surges and drops, etc. It is possible to almost completely avoid the loss of information in such cases by using uninterruptible power supplies. They ensure the normal functioning of the computer even when the power is cut off due to the transition to battery power.

Protection of information from unauthorized access

Unauthorized access- this is reading, changing or destroying information in the absence of the appropriate authority to do so.

The main typical paths unauthorized obtaining of information:

theft of information carriers;

copying of information carriers with overcoming protection measures;

disguise as a registered user;

hoax (disguise as system requests);

using the shortcomings of operating systems and programming languages;

interception of electronic emissions;

interception of acoustic emissions;

remote photography;

the use of eavesdropping devices;

malicious disabling of protection mechanisms.

For information protection from unauthorized access apply:

Organizational activities.

Technical means.

Software.

Cryptography.

1. Organizational activities include:

access control;

storage of media and devices in a safe (floppy disks, monitor, keyboard);

restriction of access of persons to computer rooms.

2. Technical means include various hardware methods for protecting information:

filters, screens for equipment;

key to lock the keyboard;

authentication devices - for reading fingerprints, hand shape, iris, printing speed and techniques, etc.

3. Software information protection consists in the development of special software that would not allow an outsider to receive information from the system. Software tools include:

password access;

lock the screen and keyboard using a combination of keys;

use of BIOS password protection (basic input-output system - basic input-output system).

4. Under cryptographically information protection means its encryption when entered into a computer system. The essence of this protection is that a certain encryption method (key) is applied to the document, after which the document becomes unavailable for reading by conventional means. Reading a document is possible with a key or using an adequate reading method. If in the process of exchanging information for encryption and reading one key is used, then the cryptographic process is symmetric. The disadvantage is the transfer of the key along with the document. Therefore, the INTERNET uses asymmetric cryptographic systems, where not one, but two keys are used. For work, 2 keys are used: one is public (public), and the other is private (private). The keys are constructed in such a way that a message encrypted with one half can only be decrypted by the other half. By creating a key pair, the company widely distributes the public key and stores the private key securely.

Both keys represent a kind of code sequence. The public key is published on the company's server. Anyone can encode any message using the public key, and only the owner of the private key can read it after encryption.

The principle of sufficiency of protection... Many users, receiving someone else's public key, want to get and use them, studying the algorithm of the encryption mechanism and trying to establish a method for decrypting the message in order to reconstruct the private key. The principle of sufficiency is to check the number of private key combinations.

The concept of electronic signature... With the help of an electronic signature, the client can communicate with the bank, giving orders to transfer his funds to the accounts of other persons or organizations. If you need to create an electronic signature, you should use a special program (received from the bank) to create the same 2 keys: private (remains with the client) and public (transferred to the bank).

Read protection carried out:

at the DOS level by introducing Hidden attributes for the file;

encryption.

Protecting that recording carried out:

setting the Read Only property for the files;

prohibiting writing to a floppy disk by moving or breaking the lever;

disabling writing through BIOS setup - "drive not installed"

When protecting information, the problem of reliable data destruction often arises, which is due to the following reasons:

when deleted, information is not completely erased;

even after formatting a floppy disk or disk, data can be recovered using special tools for the residual magnetic field.

For reliable deletion, special utilities are used that erase data by repeatedly writing a random sequence of zeros and ones in place of the deleted data.

Protecting information on the networkINTERNET

When working on the Internet, it should be borne in mind that as far as the resources of the World Wide Web are open to each client, the resources of his computer system can, under certain conditions, be open to everyone who has the necessary means. For a private user, this fact does not play a special role, but it is necessary to know about it in order to prevent actions that violate the laws of those countries in which the Internet servers are located. Such actions include voluntary or involuntary attempts to disrupt the performance of computer systems, attempts to hack protected systems, the use and distribution of programs that disrupt the performance of computer systems (in particular, computer viruses). When working on the World Wide Web, one should remember that absolutely all actions are recorded and logged by special software and information, both about legal and illegal actions, is sure to accumulate somewhere. Thus, the exchange of information on the Internet should be treated like regular correspondence using postcards. Information circulates freely in both directions, but in general it is available to all participants in the information process. This applies to all Internet services open to the public.

However, even in ordinary postal services, along with postcards, there are also postal envelopes. The use of postal envelopes in correspondence does not mean that partners have something to hide. Their use corresponds to a long-established historical tradition and well-established moral and ethical norms of communication. The need for similar "envelopes" to protect information exists on the Internet. Today, the Internet is not only a means of communication and a universal help system - it circulates contractual and financial obligations, the need to protect which both from viewing and from falsification is obvious. Since 1999, INTERNET has become a powerful tool for retail trade, which requires the protection of credit card data and other electronic means of payment.

The principles of protecting information on the Internet are based on the definition of information we formulated in the first chapter of this guide. Information is a product of data interaction and methods adequate to them... If, in the course of the communication process, data is transmitted through open systems (and the Internet refers precisely to such), then it is impossible to exclude access to them by unauthorized persons, even theoretically. Accordingly, security systems focus on the second component of information - methods. Their principle of operation is based on eliminating or at least making it difficult to select adequate method to transform data into information.

INFORMATION SECURITY OF PROFESSIONAL ACTIVITIES

Pozhitkova Tatiana Alexandrovna

5th year student, Department of Commodity Science and Organization of Management of Trade Enterprises, TSU, Togliatti

E-mail: Kykyha [email protected] yandex . ru

Kharlamova Valentina Vladimirovna

Art. Lecturer at the Department of Commodity Science and Organization of Management of Trade EnterprisesTSU, Togliatti

Information (from the Latin informatio - explanation, presentation) - since the middle of the twentieth century, a general scientific concept that includes the exchange of information between people, a person and an automaton, an automaton and an automaton, signal exchange in the animal and plant world, transmission of signs from cell to cell, from organism to the body; one of the basic concepts of cybernetics.

Information protection is a set of measures aimed at ensuring information security.

According to information security standards, the main thing in any company is:

· Define a goal to ensure the protection of information of computer systems;

· Get ​​the most effective information security management system;

· Calculate the totality of both quantitative and qualitative indicators, as far as they fit the set goals;

· Application of all measures to ensure information security, constant monitoring of the current state of the system;

· Apply security management guidelines that allow for a true assessment of the information security available.

For subjects using information systems, the following characteristics of information resources are important: confidentiality, availability and integrity.

Confidentiality is the protection of information from unauthorized access. In other words, there is access authority - there is information. An example is the organization's non-disclosure of information about workers' wages.

Accessibility is a criterion characterized by the quick finding of the necessary information.

Integrity is the truthfulness and relevance of information, its protection from unauthorized access and destruction (change). Integrity is the most important aspect of information security when it comes to, for example, the formulation of drugs, prescribed medical procedures, the course of the technological process - if the integrity of the information of all these examples is violated, this can lead to irreparable consequences.

Having analyzed the main features of information resources, the most important thing for IP users is accessibility.

Integrity is half a step behind in importance - because there is no point in information if it is not true or distorted.

In addition to the three main features of security models, there are also others that are not always mandatory:

· Appealability - impossibility of refusal of authorship;

· Accountability - recognition of the subject of access and registration of his actions;

· Authenticity or authenticity - a property that guarantees that the subject or resource is identical to the declared one. A sign that guarantees that the information is identical to the declared one.

Information security can be damaged to varying degrees by actions called threats. They are divided into the following categories:

2. Actions carried out by hackers. This refers to people who are professionally involved in computer crimes. Hackers use the DOS_attack method. This threat of unauthorized entry can be a tool for destroying data, using confidential information for illegal purposes, as well as for stealing money from accounts, etc. network nodes of the organization that are responsible for its efficient operation (mail servers). Hackers massively send data packets to these nodes, which entails overloading them, thereby taking them out of the working state for some time. Which, as a consequence, leads to disruptions in business processes, loss of customers, reputation, etc.

3. Computer viruses, malware. They are widely used to penetrate e-mail, corporate network nodes, the carrier itself and the information storage, which can lead to data loss, information theft. Due to viruses, the work process is suspended, and work time is lost. It is important to point out that a virus can give attackers full or partial control over an organization's activities.

4. Spam. Until recently, spam could be attributed to minor annoying factors, but now it has become one of the main threats to information: spam causes a feeling of psychological discomfort among employees, takes a lot of time to delete it from email inboxes, which may entail the deletion of important information. correspondence. And this, in turn, is the loss of information, the loss of customers.

5. "Natural Threats". In addition to internal factors, external factors can also affect the security of information: incorrect storage of information, theft of media, force majeure, etc.

We can summarize in a way: in the modern world, the presence of a well-developed information protection system is one of the main conditions for the competitiveness and even viability of any company.

To ensure the most complete information security, various means of protection must work in the system, that is, they must be applied simultaneously and under centralized control.

Currently, there are many methods for ensuring information security:

· Means of encryption of information stored on computers and transmitted over networks;

· Means of encrypting important information stored on a PC;

· Firewalls;

· Means of content filtering;

· Anti-virus protection means;

· Network vulnerability detection systems and network attack analyzers.

Any of the listed funds can be used both individually and in conjunction with others. This makes the spectrum of information protection more extensive, which is undoubtedly a positive factor.

"Complex 3A". Identification and authorization are the leading elements of information security. When you try to access any protected information, identification determines whether you are an authorized user of the network. The purpose of authorization is to identify which information resources a given user has access to. The administration function is to endow the user with individual advanced capabilities, to determine the scope of possible actions for him within the framework of a given network.

Information encryption systems make it possible to minimize losses in the event of an attempt to unauthorized access to data, as well as interception of information during transmission or transmission over network protocols. The main purpose of this protection method is to ensure the preservation of confidentiality. Requirements are applied to encryption systems, such as a high level of lock secrecy (i.e., cryptographic strength) and legality of use.

The firewall acts as a protective barrier between networks, controls and protects against unauthorized entry into the network or, conversely, the removal of data packets from it. Firewalls check each packet of data against the incoming and outgoing IP_addresses against the base of addresses that are allowed.

It is important to control and filter incoming and outgoing e-mail in order to preserve and protect confidential information. Checking attachments and the mail messages themselves based on the rules established in the organization helps protect employees from spam, and the organization from liability for legal claims.

The administrator, like any other authorized user, may have the right to monitor all changes in information on the server thanks to the integrity checking technology. This makes it possible to detect unauthorized access, control any actions on information (change, delete, etc.), as well as identify the activity of viruses. The control is carried out based on the analysis of file checksums (CRC_sums).

Currently, anti-virus technologies can detect almost all virus and malware programs by comparing the sample code in the anti-virus database with the code of a suspicious file. Suspicious files can be quarantined, disinfected, or deleted. Antivirus programs can be installed on file and mail servers, firewalls, on workstations operating under common operating systems (Windows, Unix- and Linux_systems, Novell) on various types of processors.

Spam filters significantly reduce the unproductive labor costs associated with cleaning files from spam, reduce the load on servers, and improve the psychological background in the team. In addition, spam filters reduce the risk of infection with new viruses, because they are often similar in characteristics to spam and are removed.

To protect against natural threats, an organization must create and implement a plan for the prevention and elimination of emergencies (fire, flood). The main method of protecting data is backing up.

There are many means of technical protection of information from unauthorized access (NSD): single-use locks, plastic identification cards, seals, optical and infrared systems, laser systems, locks (mechanical, electromechanical, electronic), video security and control systems.

An information security policy is a set of rules, laws, recommendations and practical experience that determine management and design decisions in the field of information security. PIB is a tool with which there is a management, protection, distribution of information in the system. The policy should define the behavior of the system in different situations.

The security policy program contains the following steps for creating information protection tools:

1. Finding information and technical resources that need to be protected;

2. Disclosure of the full set of potential threats and channels of information leakage;

3. Assessment of vulnerability and risks of information with the existing set of threats and channels of leakage;

4. Diagnostics of the requirements for the protection system;

5. A selection of information security tools and their characteristics;

6. Implementation and organization of the use of the selected measures, methods and means of protection;

7. Implementation of integrity control and management of the protection system.

Assessment of the current situation is subdivided into two systems: “bottom-up research” and “top-down research”. The first is based on the fact that the information security service, based on all known types of attacks, applies them in practice to check whether this attack is possible from a real offender.

The "top-down" method is a detailed study of all existing schemes for storing and processing information. The first step of the method is to determine which information flows should be protected. Then the current state of the information security system is analyzed to determine the implemented protection methods, to what extent, and at what level they are implemented. At the third stage, all information objects are classified into groups in accordance with its confidentiality.

After that, it is necessary to find out how serious the damage can be caused if the information object is attacked. This step is referred to as "risk computation". The possible damage from an attack, the probability of such an attack and their production are calculated. The received answer is a possible risk.

At the most important and crucial stage, the very development of an enterprise security policy takes place, which will provide the most complete protection against possible risks. However, it is necessary to consider the problems that may arise on the way of initiating a security policy. Such problems include the laws of the country and the international community, ethical standards, internal requirements of the organization.

After the creation of an information security policy as such, its economic value is calculated.

At the end of the development, the program is approved by the company's management and documented in detail. This should be followed by the active implementation of all the components specified in the plan. Risk recalculation and subsequent modification of the company's security policy is most often carried out every two years.

The PIB itself is formalized in the form of documented requirements for the information system. There are three levels of such documents (also called detailing):

The documents of the top level of information security policy show the position of the organization towards activities in the field of information protection, its readiness to comply with state and international requirements in this area. For example, they can be named: "IS Concept", "IS Policy", "IS Technical Standard", etc. Top-level documents can be issued in two forms - for external and internal use.

Middle-level documents relate to certain aspects of information security. It describes the requirements for the creation and operation of information security tools for a specific side of information security.

The lower-level documents contain rules and norms of work, administration manuals, instructions for the operation of private information security services.

The stages of the life cycle of an information system are divided into: strategic planning, analysis, design, implementation, implementation (initiation) and operation. Let's consider each stage in detail:

1. Initial stage (strategic planning).

At the first stage, the scope of the system is determined and boundary conditions are set. To do this, it is necessary to identify all external objects with which the developed system will interact, to determine the nature of this interaction. During the strategic planning stage, all functionalities are identified, and the most important ones are described.

2. Stage of refinement.

At the stage of refinement, the applied area is analyzed, the architectural basis of the information system is being developed. It is necessary to describe most of the functionality of the system and take into account the relationship between the individual components. At the end of the refinement stage, architectural solutions and ways to eliminate the leading risks in the program are analyzed.

3. Construction stage.

At this stage, a finished product is created, ready for transfer to the user. At the end of the design, the operability of the resulting software is determined.

4. Stage of transfer to operation (initiation).

The stage is the direct transfer of the software to the user. When using the developed system, problems of various types are often identified that require additional work and adjustments to the product. At the end of this stage, they find out whether the goals set for the developers have been achieved or not.

5. Decommissioning and disposal. As a result of this stage, the data is transferred to the new IS.

Any information system can remain as useful as possible for 3-7 years. Further, its modernization is required. Therefore, we can come to the conclusion that almost every creator faces the problem of modernizing outdated information systems.

To solve the problem of ensuring information security, it is important to apply legislative, organizational, software and hardware measures. Inattention to at least one aspect of this problem can lead to the loss or leakage of information, the cost and role of which in the life of modern society is becoming increasingly important.

Bibliography:

1.V.A. Ignatiev, Information security of a modern commercial enterprise / V.A. Ignatiev - M: Stary Oskol: TNT, 2005 .-- 448 p.

2. Domarev V.V., Security of information technologies. Methodology for creating protection systems (Chapter 8) / TID Dia Soft / - 2002. [Electronic resource]. - Access mode. - URL: http://www.kpnemo.ws/ebook/2010/08/10/domarev_vv_bezopasnost_informatsionnyih_tehnologiy_metodologiya_sozdaniya_sistem_zaschityi (accessed 15.11.2012)

3. Zhuk EI, Conceptual foundations of information security [Electronic resource] // Electronic scientific and technical publication "Science and Education", 2010. - No. 4. - Access mode. - URL: http: //techno-new.developer.stack.net/doc/143237.html (date of treatment 11/20/2012)

4. Medvedev N.V., Standards and policy of information security of automated systems // Vestnik MGTU im. N.E. Bauman. Ser. Instrumentation. - 2010. - No. 1. - S. 103-111.

5. Fundamentals of information security: Textbook / O.A. Akulov, D.N. Badanin, E.I. Zhuk et al. - M .: Publishing house of MSTU im. N.E. Bauman, 2008 .-- 161 p.

6. Filin S.A., Information security / S.A. Owl. - Alfa-Press, 2006 .-- 412 p.

7. Yarochkin V.I. Information Security: A Textbook for University Students. - 3rd ed. - M .: Academic Project: Triksta, 2005 - 544 p.

The concept of information security Information security is understood as the security of information and supporting infrastructure from accidental or intentional influences of a natural or artificial nature that can cause unacceptable damage to the subjects of information relations, including the owners and users of information and supporting infrastructure. Information protection is a set of measures aimed at ensuring information security.

Information security issues Information security is one of the most important aspects of integral security. The following facts are illustrations: In the Doctrine of Information Security of the Russian Federation, protection from unauthorized access to information resources, ensuring the security of information and telecommunication systems are identified as important components of national interests; During the years. almost 500 attempts were made to penetrate the computer network of the Central Bank of the Russian Federation. In 1995, 250 billion rubles were stolen. According to the FBI, the damage from computer crimes in the United States in 1997 amounted to $ 136 million.

Information security problems According to the report "Computer Crime and Security - 1999: Problems and Trends", 32% of respondents - have contacted law enforcement agencies about computer crimes; 30% of respondents - reported that their IP was hacked by hackers; 57% - have been attacked over the Internet; 55% - noted cases of information security violations by their own employees; 33% - could not answer the question "Have your web servers and e-commerce systems been hacked?"

Information Security Challenges A 2004 global information security survey conducted by the consulting firm Ernst & Young identified the following key aspects: Only 20% of those surveyed are convinced that their organizations consider information security issues at the senior management level; According to the respondents, “lack of awareness of information security issues” is the main obstacle to creating an effective information security system. Only 28% noted as priority tasks "increasing the level of training of employees in the field of information security"; “Misconduct by employees when working with IS” was ranked second in terms of the prevalence of information security threats, after viruses, Trojans and Internet worms. Less than 50% of respondents conduct training for employees in the field of information security; Only 24% of respondents believe that their information security departments deserve the highest rating for meeting the business needs of their organizations and their organizations; Only 11% of respondents believe that regulatory acts in the field of security adopted by state bodies have significantly improved the state of their information security.

Information security threats Information security (IS) threat is a potentially possible event, action, process or phenomenon that can lead to damage to someone's interests. An attempt to implement a threat is called an attack. The classification of IS threats can be performed according to several criteria: by the IS aspect (availability, integrity, confidentiality); by the IS components that the threats are targeting (data, software, hardware, supporting infrastructure); by the method of implementation (accidental or deliberate actions of a natural or man-made nature); by the location of the source of threats (inside or outside the considered IS).

Properties of information Regardless of the specific types of threats, the information system must provide the basic properties of information and systems for its processing: accessibility - the ability to obtain information or information services in a reasonable time; integrity - the property of relevance and consistency of information, its protection from destruction and unauthorized changes; confidentiality - protection from unauthorized access to information.

Examples of implementation of the threat of violation of confidentiality Part of the information stored and processed in the IS should be hidden from outsiders. The transmission of this information can harm both the organization and the information system itself. Confidential information can be divided into subject and service information. Proprietary information (for example, user passwords) does not belong to a specific subject area, but its disclosure may lead to unauthorized access to all information. Subject information contains information, the disclosure of which may lead to damage (economic, moral) to the organization or person. Various technical means (eavesdropping of conversations, networks), other methods (unauthorized transmission of access passwords, etc.) can serve as means of attack. An important aspect is the continuity of data protection throughout the entire life cycle of its storage and processing. An example of a violation is the available storage of data backups.

Examples of implementation of the threat of violation of data integrity One of the most frequently implemented information security threats are theft and forgery. In information systems, unauthorized changes to information can lead to losses. The integrity of information can be divided into static and dynamic. Examples of violations of static integrity are: entering invalid data; unauthorized change of data; modification of a program module by a virus; Examples of violations of dynamic integrity: violation of atomicity of transactions; data duplication; introducing additional packets into network traffic.

Malicious software One way to carry out an attack is to inject malware into systems. This type of software is used by cybercriminals for: introducing other malicious software; gaining control over the attacked system; aggressive consumption of resources; altering or destroying programs and / or data. According to the mechanism of distribution, there are: viruses - code that has the ability to spread by being embedded in other programs; worms are a code that can independently cause the distribution of its copies across the IP and their execution.

Malicious software GOST R “Information security. Object of informatization. Factors affecting information. General Provisions "the following concept of a virus is introduced: Software virus is an executable or interpreted program code that has the property of unauthorized distribution and self-reproduction in automated systems or telecommunication networks in order to change or destroy software and / or data stored in automated systems.

Examples of implementation of the threat of denial of access Denial of services (denial of access to IS) is one of the most frequently implemented IS threats. With regard to IS components, this class of threats can be divided into the following types: user refusal (unwillingness, inability to work with IS); internal failure of the information system (errors during system reconfiguration, software and hardware failures, data destruction); failure of the supporting infrastructure (disruption of communication systems, power supply, destruction and damage to premises).

The concept of an attack on an information system An attack is any action or sequence of actions that exploits vulnerabilities in an information system and leads to a violation of the security policy. A security mechanism is software and / or hardware that detects and / or prevents an attack. Security service is a service that ensures the security of systems and / or transmitted data specified by the policy, or determines the implementation of an attack. The service uses one or more security mechanisms.

Classification of attacks Classification of attacks on an information system can be performed according to several criteria: By place of origin: Local attacks (the source of this type of attacks are users and / or programs of the local system); Remote attacks (the source of the attack is remote users, services or applications); By impact on the information system Active attacks (the result of the impact of which is the disruption of the information system); Passive attacks (aimed at obtaining information from the system without disrupting the functioning of the information system);

Network attacks I. Passive attack A passive attack is an attack in which the adversary is unable to modify the transmitted messages and insert his messages into the information channel between the sender and the receiver. The purpose of a passive attack can only be eavesdropping on transmitted messages and traffic analysis.

Network attacks An active attack is one in which the adversary has the ability to modify transmitted messages and insert his own messages. A distinction is made between the following types of active attacks: Denial of Service - DoS (Denial of Service) attack Denial of service disrupts the normal functioning of network services. The adversary can intercept all messages directed to a specific addressee. Another example of such an attack is the creation of significant traffic, as a result of which the network service will not be able to process the requests of legitimate clients. A classic example of such an attack in TCP / IP networks is the SYN attack, in which the attacker sends packets that initiate the establishment of a TCP connection, but does not send packets that complete the establishment of this connection. As a result, a memory overflow on the server may occur, and the server will not be able to establish a connection with legitimate users.

Network attacks Modification of the data stream - "man in the middle" attack Modification of the data stream means either changing the content of a message being forwarded or changing the order of messages.

Network Attacks Reuse Reuse refers to passively capturing data and then forwarding it to gain unauthorized access — a so-called replay attack. In fact, replay attacks are one of the options for falsification, but due to the fact that it is one of the most common attack options for gaining unauthorized access, it is often considered as a separate type of attack.

Approaches to ensuring information security To protect AIS, the following provisions can be formulated: Information security is based on the provisions and requirements of existing laws, standards and regulatory and methodological documents; Information security of AIS is ensured by a complex of software and hardware tools and organizational measures supporting them; Information security of the AIS should be ensured at all stages of technological data processing and in all modes of operation, including during repair and routine maintenance;

Approaches to ensuring information security To protect the AIS, the following provisions can be formulated: Software and hardware protection means should not significantly degrade the basic functional characteristics of the AIS; An integral part of information security work is the assessment of the effectiveness of protection means, carried out according to a methodology that takes into account the entire set of technical characteristics of the object being evaluated, including technical solutions and practical implementation; AIS protection should include monitoring the effectiveness of protective equipment. This control can be periodic or initiated as required by the AIS user.

Consistency of information security means Consistency in the development and implementation of information security systems involves the identification of possible threats to information security and the choice of methods and means aimed at countering this complex of threats. Solutions should be systemic, that is, include a set of measures to counteract the entire range of threats.

Continuity of protection Continuity of protection implies that the complex of measures to ensure information security must be continuous in time and space. The protection of information objects must be ensured when performing routine maintenance and repair work, while setting up and configuring information systems and services.

Reasonable sufficiency Building and maintaining information security systems requires certain, sometimes significant, funds. At the same time, it is impossible to create an all-encompassing protection system. When choosing a protection system, it is necessary to find a compromise between the costs of protecting information objects and the possible losses in the implementation of information threats.

Flexible management and application Information security threats are multifaceted and not predefined. For successful counteraction, it is necessary to be able to change the means used, promptly include or exclude the used data protection means, add new protection mechanisms.

Openness of algorithms and protection mechanisms Information security tools themselves can pose a threat to an information system or object. Prevention of this class of threats requires algorithms and protection mechanisms to be independently validated for security and standards compliance, and can be used in conjunction with other data protection tools.

Ease of application of protective measures and means When designing information security systems, it is necessary to remember that the implementation of the proposed measures and means will be carried out by users (often not specialists in the field of information security). Therefore, in order to increase the effectiveness of protection measures, it is necessary that the algorithm for working with them is understandable to the user. In addition, the information security tools and mechanisms used should not disrupt the normal operation of the user with the automated system (dramatically reduce productivity, increase the complexity of work, etc.).

Methods of ensuring information security Let us consider an example of the classification of methods used to ensure information security: obstacle - a method of physically blocking the path of an attacker to information; access control - a method of protection by regulating the use of information resources of the system; disguise - a method of protecting information by means of its cryptographic transformation; regulation is a method of information protection that creates conditions for automated processing, in which the possibility of unauthorized access is minimized; coercion - a method of protection in which personnel are forced to comply with the rules for the processing, transfer and use of information; motivation is a method of protection in which the user is encouraged not to violate the modes of processing, transmission and use of information due to the observance of ethical and moral standards.

Means of protection of information systems Such means can be classified according to the following features: technical means - various electrical, electronic and computer devices; physical means - are implemented in the form of autonomous devices and systems; software means software designed to perform information security functions; cryptographic means - mathematical algorithms that provide data transformation for solving information security problems; organizational means - a set of organizational, technical and organizational and legal measures; moral and ethical means - are implemented in the form of norms that have developed with the spread of computers and information technologies; legislative means - a set of legislative acts regulating the rules for the use of IP, processing and transmission of information.